Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Phoghat writes "A top defense and cybersecurity expert says the U.S. should stop trying to take aim at expert hackers and start doing a better job of recruiting them. 'Let's just say that in some places you find guys with body piercings and nonregulation haircuts,' says U.S. Naval Postgraduate School professor John Arquilla . 'But most of these sorts of guys can't be vetted in the traditional way. We need a new institutional culture that allows us to reach out to them.'"

Want to reach the hacking culture? It's like hiring tribes people to help log the Amazon rainforest. Corporations should learn from the mistakes made in those senarios before even thinking of strategies such as this.

The irony here is although the Govt started the Internet as an official project, it has always rested on the shoulders of academics and the talent of the hacking community, corporations come further down the list.

Want to reach the hacking culture? It's like hiring tribes people to help log the Amazon rainforest. Corporations should learn from the mistakes made in those senarios before even thinking of strategies such as this.

What the corporate MBAs would immediately deduce is that the tribespeople had been improperly incentivized, and should have been offered different shiny stuff. Numerous case studies would then be performed to find the optimum lowest-cost shiny stuff to offer to induce tribespeople to wreck their environment. Devastation of the rainforest would not be abated, while corporate profits and MBA bonuses would increase grotesquely for a few quarters.

Similar dysfunctional thinking would be applied to recruiting hackers.

From what I see, if the US government has to reach to the hacking culture, they need to "atone" for Operation Sun Devil. Right now, at best, they can get contractors because of this. Unlike China where their citizens will happily go to a computer room and start doing their work.

The pogrom against Steve Jackson Games and other sites forever made any person with non-tivial skillz not interested in any way to work for the US, just for fear that they will be labeled a "terrorist" should something happened, an

Principles can be overridden with money. Doesn't even need much. The benefit is that some of those hackers are very highly skilled, and they are used to not playing by the rules - which is good, because the enemies of the US won't be playing by the rules either.

That's the idea, anyway. I think in practice any good hacker (As opposed to a conventionally, formally trained engineer) is going to be driven half-crazy by the highly conformist military culture, and those that can stick with it are going to need constant micromanaging to keep them on their assigned mission ('You want me to disassemble yet another possible Chinese worm? BORING!') rather than using the available resources to do what they think is best ('Ohh, I'll write a virus that installs HTTPSeverywhere and blocks RST packets! That'll totally screw with China's filtering!').

No, principles can be overridden with ego. Real hackers are about the science. Hackers that are out to damaage things are about their egos. That's actually what mades hiring them fruitless. Once they get bored with the 'I work ops for the FBI' or whatever, they'll move on to, 'I'm a double agent' so and so forth etc...That's why instead of building things they find it much easier and gets them more attention to break things. No, they aren't good bets.

That's the idea, anyway. I think in practice any good hacker (As opposed to a conventionally, formally trained engineer) is going to be driven half-crazy by the highly conformist military culture, and those that can stick with it are going to need constant micromanaging to keep them on their assigned mission ('You want me to disassemble yet another possible Chinese worm? BORING!') rather than using the available resources to do what they think is best ('Ohh, I'll write a virus that installs HTTPSeverywhere and blocks RST packets! That'll totally screw with China's filtering!').

I know they, the military, didn't drive me crazy as I was already there! On the other hand, I do know I drove my command structures more than a little crazy; military behavior was the only down item on my evaluations which were characterized with 4.0's (2.0 in Military Behavior). What I did have was very, very high-level protection. That was the result of turning an (potentially multi-million dollar) IT disaster-in-the-making into a success. After that, if you needed weird, well for the time, from the s

This article is really bad.. The gov is not going to just come out and ask to begin with, and it is a known fact they quietly have hackers working for them, or they set something up intentionally to get hacked, of course it is a test to see how it was hacked, and what they could do going forward. Not something they do all the time, but it is done..

To have the Defense industry bankroll a witch-hunt to find these individuals, so they can be forced to sign up for a cyber-tour of duty and bureaucratic nonsense which burns their skins, so various corporations / interested parties can hire them away with better offers to engage in industrial espionage? In the name of patriotism and the American way, I'm sure GM / GE is willing to crack into foreign firms and lift their intellectual property.

I say it's awfully childish. Do we really want the Internet to be an unstable place?

It is far more childish to think that if we just play nice, everyone else will follow suit. The Internet will not be made secure by covering our eyes, crossing our fingers, and praying. It will only be more secure by making sure that those interested in its security have bigger "guns" than those interested in its instability.

Or by actually investing in secure technologies and practices. In real life, it's better to make sure those interested in security are well-armed because there's not much that can withstand a bazooka, but, online, it's very difficult to compromise communications encrypted with 4096-bt RSA.

Internet Security is a fantasy. Allowing anyone and everyone access to the network makes it almost impossible. I can't believe that servers with secure information would ever, under any circumstances be connected to something so untamed. For starters all my secure computers would never run a disk based operating system. The entire OS would reside in ROM and when it was time for an upgrade I'd burn a new chip. Expensive? Not as expensive as having 1.5 billion dollars worth of research hacked. I don't think network security is nearly paranoid enough.

The entire OS would reside in ROM and when it was time for an upgrade I'd burn a new chip. Expensive? Not as expensive as having 1.5 billion dollars worth of research hacked. I don't think network security is nearly paranoid enough.

What makes you think you're going to write an OS without a single security flaw that could be exploited?Burning it to ROM is just ensuring the exploit lingers in the wild longer than it should.

It makes it impossible to rewrite the software. No worries that your files are infected. Flawed software can be rewritten and another ROM burned. But at least you know that any malware on the chip is your own.

This is why we have file permissions, read/append/no-exec only filesystems, and file integrity checking. If there is a 0day vulnerability it's as though your systems are already compromised. Also where are users going to store their documents, emails, databases? What about software that makes changes? Do you really want to rewrite a rom for each system in your enterprise and have some dude walking around swapping it out?

This is a system for extreme security. For average stuff I'd say no. If I have a billion dollars in research on file I can't think of any reason not to spend huge amounts of money to keep it safe. Think about it, for 100 grand the local bank is sufficient, how about 1 billion dollars? You want it there or somewhere with loads of guards and high fences.

I don't think writing an OS to rom has a good cost/benefit ratio when it comes to computer security, not anymore anyhow. There are 100 other things that you could be doing first that are going to go further giving you bang for your security buck. Also I want you to consider the logistics of replacing all these chips, having a tech walk around and upgrade these machines is going to expensive and time consuming. Also you're going to have to account for human error in this process unless you have each one

If you hand out bigger "guns" and the internet becomes a warzone, everyone loses. The only way to keep it civilized is by handing out better "armor", making "guns" as ineffectual as possible. Since the military isn't interested in armor only and i don't trust them to use "guns" in a reasonable way (if there actually is one) i don't know why i should put me under their command.

I can see it now, the war finally winde up in the basement of a 'nuked' building and two groupls of stinky dirty people wark away frantically trying to hack the opponents computer connected by a single ethernet cable. They hurl insults at one another and chide and talk sepremecy of morals and ethics until all the sudden one of them trips on the cable and pulls it from the jack on the back of the computer. It's there they all freeze. Completely confused and not knowing what to do. And they stay there ina

An organic system is inherently unstable - this is why the global network is so resilient against targetted attacks (such as wide-scale DNS poisoning [xelerance.com], root name server outage [codeseekah.com]...). The system will route around the dark spot. Whether or not it's "what the man wants" is irrelevant. If "The Man" wants the Internet to go dark permanently, all "The Man" has to do is cause a global, total and simultaneous blackout of every node, domain and name server, webserver - anything with a CPU and internet connection.

What makes you think it's stable now? Although I think "Cyberwarfare" is more media drama than actual warfare, networks could be doing a lot more to make them more secure. We don't becuase, users. Users don't want inconvenience. Users don't want two passwords (one email, one login). Users want their desktop on their mobile device. Users want access to confidential data on the same PC their kids play on. Don't get me wrong, without users there's no need for a network but things have gotten way out of hand with security.

I think it's a good sign that some places in the tech industry are starting to realize they could be doing better. Maybe they will finally get around to listening to real experts instead of paid-for marketing shills.

Problem with backdoors is, the insecurity points both ways - you can't have it secure just for you and insecure for others.
Once you put the backdoors into everything, they are there, ready to be misused against everyone, including you, whatever noble puropse you thought they were to initially serve.
Thinking nobody will find out is delusional. This will not end well:(

It's sorta funny to read this type of bleating in a Slashdot article that appears on the same day as one that says the Chinese government has backdoors in 80% of Telecoms to sniff information.

Look, ya dumb sheep.

They are already waging war against us, enemy and "friendly" states already use their government resources to steal intellectual property and wage industrial espionage against the United States. You obviously don't actually run any internet-facing services or you would see this shit in your logs.

The fact that our government doesn't do it aggressively too is the odd part. It's time to man up and fight back or your children (assuming you manage to breed) will be speaking Chinese and working for Russian mobsters for a daily loaf of bread.

Haha... you really need to take a good look and consider who are the sheep and who is the shepherd!Do you honestly believe that the US Govt. doesn't have backdoors / access to backdoors in 99% of US telecoms tech?

I can't figure out whether commenters like this are just dumb or funny. I would guess that it's both. How about I let you pay for your governments perpetual wars? I want no part of them, You can keep your government, too, while you are at it

Some of the most talented technical people I know are also the most clean-cut and athletic. Some of the worst, show-offs who know the talk but little else, fall into your usual hacker stereotype with their appearance. I think the former is more realistic, and the latter is more romantic fantasy— brought on by people who idealize Gibson. In other words, why bother? The first group is more likely to give you a well-rounded individual who actually knows her material. The second group is a total crapshoot.

The problem is that vetting the ethics of a hacker needs someone who has insight in the cultural framework as much as the technical capabilities of the person under review, and that is MILES beyond your average HR setup.

I know from my own experience that the best reviewer for tech is someone who is either a former hacker him/herself, or has a personality that borders on Aspergers. You cannot understand technical people if you do not have the required mental tools, and especially the brighter hackers do not exactly conform to the standard employee model.

So, use one to know one, and forget about your average corporate HR droid doing anywhere near a sensible assessment. Oh, and forget about standard management techniques either - not only does it take one to know one, it certainly takes one to manage them.

Actually, that's how I got hold of the first security admin for a company I had just helped setting up. After an internal move (prior to official launch) I inherited a desk that was obviously HR. It had a stack of CVs in, all with "no" across the top. 4 CVs in I see the perfect candidate, so I got him in. He stayed there for 3 years or so..

I know that the vast majority of "hackers" are script kiddies.. but to say they're less skilled than our offering of security professionals is not true. Talk to your average CISSP you'll see that the skill distribution on the other side of the fence is equally matched. It's funny because most CISSP study material provides these frauds their excuse for lacking technical knowledge by chapter one.Golden nuggets like:"I don't need to know the details because I'm a manager"AND"Saying hackers are going to prov

Or, instead of spending all that money on institutional reach out plans, why not kidnap their wife/son/grandma to entice them to work for you?
You can lock them overnight in a room with no contact to the outside except for a 1994 style beeper and a blunt swiss pocket knife. Oh, and some chewing gum, an out of work WWE wrestler guarding the door, and a red Ferrari parked in the back parking lot. Trust me, details matter.

Take highly competent tech people who are generally speaking somewhat anti-authoritarian, give them the tools to do nasty things to the nations enemies via hacking, malware programming etc, and expect them to keep their mouths shut about it.A lot of people don't trust the government - and often with very good reason - why would they want to hack for it?How long until the complete log files of everything they and everyone they associate with are sent to Wikileaks?Find technical people who are not anti-authoritarian and get them to do your hacking - just hire them for ability and knowledge rather than the traditional military virtues that most military organizations look for. In fact, hire them as civilian contractors and then keep them away from the rest of the military:P

you have to realize that many of the "cyber hackers" the government is eyeballing are the very same people that love nothing more than to leak classified data and hack into defense secrets solely because they view your establishent as the problem.

speaking as one of the the aformentioned non-regulation pierced guy, i can say that each time i hear a blowhard suit at the anything-department wax prophetic upon anything prefixed with "cyber," i roll my eyes, turn up the hardcore techno, and go back to writing that python interface for the communications receiver I bought on craigslist a few months back.

no one cares about the next war you're trying to sell america except the mouthbreathing walmartians in the sticks. the people youre trying to "reach out to" explicitly do not respond because they arent stupid enough to nod when told "be all you can be." as knowledge is power they understand enough about your institution to avoid it at all costs. all its done in the past 40 years is act as an engine of misery, destruction and sorrow across the globe.

"be all you can be" is not just a powerful message, it is a threat. Realise that what government is really saying there is that all you can really be is only achievable at this point if you are part of that government institution, and people that this message is aimed at cannot get government jobs as press secretaries, congressional staff or even regulators in an executive office. This is a threat and the reason government can issue it is because it is the very institution that creates the conditions, und

What I just heard you say is that they need to stop putting out commercials and need to start producing more military-themeed cartoons with public service announcements embedded in them [youtube.com], that way they can brainwash the next generation of kids to become adults who support the military.

"all its done in the past 40 years is act as an engine of misery, destruction and sorrow across the globe."

Because it is ironic? http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html [pdfernhout.net] "Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic institutions in many ways. Despite probably having more computing power per square foot than any other place in the world, they seem not to have thought much abou

Which is why they are fighting them instead of recruiting. After they get a hacker, they give him a choice between an unrealistically long prison service and a slap on the wrist provided they join them. Most hackers have chosen the latter.

Why should some who say may be in a wheelchair not be able to do work like just because of having to go to boot camp or the same thing about age rules so you have long time pros come in that may be to old to pass boot camp.

Also there are smart IT people who don't have the mental mindset to handle a boot camp as well.

You expect inclusiveness from the US military? Up until quite recently, their policy was to kick out anyone they determined to be gay. Their policy on women is still to confine them to desk jobs, far away from combat. Perhaps it would be better to strip the DoD from all responsibility for internet security and assign such tasks exclusively to a new agency, answerable directly to congress. They'd work with the military and intelligence services, but not be part of them. No boot camp, no ranks, and a staff of

IT / Software folks arent that special, offensive network operations aren't magic, get over yourselves. Everyone in the military learns to function as an infantry man at least at a rudimentary level for a reason.

I'm serious, because to-date I haven't seen much recruitment effort of 'seniors', you know, like, 40+ types. But I do see a lot, and I mean a lot of things to disqualify anyone that might apply, (for all the G-Jobs I see), even though folks might apply for all the right reasons. Even people older than 40, perhaps because of their inherit threat, but what do I know? They might even be so old as to be on medical marajuana in another state, and fear drug tests and a permanent stain on their future I.T./data ce

older pros are needed as just having JR's is missing out on people with experience know that the book says this but in the real IT systems doing it this way works better in the good IT classes aka ones at community colleges and tech schools teach like that as well as a lot of them are IT pros and know what it is right.

Actually, if you understand what makes hackers, hackers... Then the threat of 'senior' staff is as follows. Most hackers, narcissist or not, put all of their effort in to one facet. They may be at the top for a few years but as soon as technology moves on so does their interest. They are stuck in the field they started in. It's that kind of commitment that drives a hacker in the first place, it's the same commitment that keeps them from moving to different fields.

Most of the world isn't English speaking, so what do you know about it? Just because you are European or some other nationality (economics considers EU a nation) doesn't really give you the right to speak for the world. Some of which (looking at you, China) are heavily invested in stealing corporate and gov't technology.Defense contractors and military sources get pounded with millions of probes from other states each month. And employees are regularly spied on. A couple years ago a company had a bunch of c

More like thugs with piles of corpses of corpses in their basement, that are overshadowed only by their needy desire for approval and respect, gang up on anybody looking at them the wrong way, while robbing those they claim to protect blind. Which is exactly the opposite of what you claim it is, defending something of value. It's destroying value, and for pitiful reasons.

Bill Hicks said it best, why even bother typing when I could quote that:

The world is like a ride in an amusement park, and when you choose to go on it you think it's real, 'cause that's how powerful our minds are. The ride goes up and down, and round and round. It has thrills and chills, and it's very brightly coloured, and it's very loud. And it's fun, for a while.

Some people have been on the ride for a long time, and they begin to question: "Is this real, or is this just a ride?". Other people have remembered, and they come back to us, and they say: "Hey, don't worry, don't be afraid, ever, because: This is just a ride". And we kill those people.

"Shut him up! We have a lot invested in this ride. Shut him up! Look at my furrows of worry; Look at my bank account; and my family. This just has to be real."

It's just a ride. But we always kill those good people who try to tells us that - you ever noticed that? - and let the demons run amok. But it doesn't matter, because... it's just a ride, and we can change it any time we want.

It's only a choice, no effort, no work, no job, no savings of money; a choice, right now, between fear and love. The eyes of fear want you to put bigger locks on your doors, buy guns, close yourself off. The eyes of love, instead, see all of us as one.

Here's what we can do to change the world, right now, to a better ride. Take all that money we spend on weapons and defence each year and instead spend it feeding, clothing and educating the poor of the world - which it would many times over, not one human being excluded - and we can explore space together, both inner and outer, forever, and in peace.

Bill Fucking Hicks.

And if you think a comedian doesn't count, try just about any great mind... they more or less all agree. They either didn't write about it, or they said something to the effect of the above. Anything lower than that is just mediocre BS. People lie to themselves, so they lie to you ("you" as in "the people"), and you drag that cart all the way up the hill... in it? Banal bullshit. Trinkets and lies. Coffins are being flushed down the toilet, while show tunes play.

War is a way of shattering to pieces, or pouring into the stratosphere, or sinking in the depths of the sea, materials which might otherwise be used to make the masses too comfortable, and hence, in the long run, too intelligent.

George Orwell.

Could it be for the same reason that a jewelry store outspends a hot dog stand on defense?

I love when people anthropomorphize reality. Well, or think there's some evil cabal of "fat cats" forcnig the world into misery and war for profiteering purposes. I'd say both are equally idiotic.

What Hicks says appeals to a certain sort of person who likes to see themselves as "above it all". All of us "squares", why we're just "Wage slaves" (I _know_ you're a user of that ridiculous phrase) while you've totally seen through it.

America outspend the rest of the world on what it still calls "defense".

I wonder why. Could it be for the same reason that a jewelry store outspends a hot dog stand on defense?

A perfect example of "American Exceptionalism". Wake up, buddy, you ARE a hot-dog joint... maybe bigger than a stand, but still a fast-food establishment. You only need to look for what US tries so hard to sell [slashdot.org] nowadays... crappy Hollywood movies/music.

Let me guess, you want them to use Linux because it was magically written to be impervious to attack. A dollar say s I can crack your Linux box faster than you can crack win95, assuming you even have the skills to do that? Get past your bias.

This presupposes that the cultural clash between the military and the hackers is about their fashion choices instead of being about devoting your life to the more efficient killing of other people in the pursuit of enriching the already rich and powerful.

Quiet right you can vet hackers the same way you do any one else - OK not all would be cool with the job and what is involved in being vetted for DV / TS. But any one who works in high end tech jobs is probably going to face the decision do I work on defense work.
But this guy seems to have zero idea, Gary McKinnon FFS he was caught hacking into NASA looking for info on UFOs - this is a short step from the sort of people who post on Usenet claiming that the BBC is sending them secret messages via the medi

Last I checked I'd have a hard time considering most of the people arrested by the FBI "world class" hackers. The majority of Black Hat hackers are generally scriptkiddies. Most of the best (the ones who do it to see if they can) are either Grey or White already work for a security firm which pays FAR better then the government would. If the gov wants to hire the best hackers then they need to start offering better pay then giving the excuse âoeyou get the warm fuzzy feeling that your protecting your c

Did anyone see "Catch Me If You Can"? True story. The FBI hired a master conterfeiter and con-man. Trust? Both the CIA and the FBI have vetted guys and moved them to high posts while they were working for the KGB. With a hacker you know what you're getting. They have to decide whether they want to protect their country from enemies, foreign and domestic. Don't expect them to jump on board with massive personal intrusion, expect them to go after bad guys. They have to accept that they are going to watched, t

Oh wow, really dude? They're going to do like all the dozens of movies that have portrayed this kind of stuff already? Cool dude!!!
What a joke the propaganda BS media has become. Very very insulting to our intelligence indeed.

Like that really worked for Brittain when they failed to properly vette a generation of intelligence officers in the 1930's and 1940's. And ended up having to do it all post-haste in the 1960's and 1970's. And when the United States cheerfully trained and armed a large number of irregular soldiers in Latin America and Asia in the 1980's. And are still fighting their remnants in the Wars on Drugs and Terror.

What happened in the 1980s may have been a culture, but hacking is a skill, like programming, or spying, or forensics.

You can teach it, if you find the intelligent and dedicated people.

The problem is that government alienates such people. First, it's heavy on rules and regulations (a/k/a "conservative"); second, it's designed to reward participation instead of excellence (egalitarianism, a liberal trait).

If you want to know why hackers, artists and philosophers end up alone in vans down by the river, it's b

It was far more likely to be the pocket protector MIT/Caltech brigade than the idiotic stereotypical "hacker" with his tattoos and piercings.

The anti-government "Anonymous" type hackers are little children compared to the people the government has access to, I doub't they're looking to slum and are too worried about being unable to hire the anti-establishment set.